MTU of ME3400

Hi,
What is the configurable MTU for routing of GE ports in ME3400?
Thanks,
Patricia

The routing mtu is 1500 bytes by default. You may change it globally in this switches using the "system mtu routing " global command.
You may verify your current setup like this:
Switch# show system mtu
System MTU size is 1500 bytes
System Jumbo MTU size is 1500 bytes
Routing MTU size is 1500 bytes
For more information on setting the routing MTU, take a look to this URL.
http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_25_seg_seg1/command/reference/cli3.html#wpxref20063
-W
//rate-if-help

Similar Messages

Mid 2010 Macbook Pro - Change MTU size kills internet (Jumbo Frames)

Hi everyone, i'm hoping someone here can enlighten or help me solve my problem I'm having.
I am trying to change my MTU size to enable Jumbo frames on my 13 inch Mid 2010 Macbook Pro. I recently bought a ReadyNAS Ultra and would like to speed up transfers to the unit.
My setup is as follows:
I have my ReadyNAS Ultra 2 and 2010 Macbook Pro (Core 2 Duo) wired via cat6 ethernet to my 5th Generation Apple Airport Extreme. The Airport Extreme is connected via cat5e to my AT&T Uverse Gateway which is set up to allow my Airport to assign DHCP and NAT (gateway is in bridge mode with wireless off).
Anyways, I have enabled Jumbo frames on my ReadyNAS, when I enable them on my MBP.. it applies fine. It disconnects / reconnects the ethernet like it should, but then my connection drops. I can't see any devices on my LAN and I cannot access any internet websites, but according to the network pane I am still assigned a valid dhcp address. When I manually try to increase my MTU size, the same thing happens (from 9000 to 1600 I tried every size).....
Could it be my MBP just can't suppose the increase of MTU size? It leaves them at 1500 when I set it to automatic... if it doesn't support the increased MTU size, why would it let me custom change the MTU and even give an option to select "Jumbo Frames (9000)"?
I appreciate any help in advance!!

asdftroy wrote:
If you did read my post then you would have saw that the option is there, but that is not entirely what my inquiry is about. The option isn't working as intended, and I was wondering if anyone had the same issues as me. Thanks anyways.
Anyone else?
The way you responded to someone trying to help you probably means others will be hesitant to try.

Asa 5505 dsl / mtu based ssl problem

Hi everyone,
We moved our office to a different location (including our dsl conncetion). We also updated our asa from 8.0.3 to 8.0.4.
Since then, I'm having trouble opening the webportal from customers having a dedicated line.
I'm getting the certificate, can confirm it but the page won't load. When setting down the MTU size on the client everything works fine. Using a DSL or UMTS Line also works like a charm.
Ã®'ve set:
mtu inside 1500
mtu outside 1492
sysopt connection tcpmss 1452
crypto ipsec df-bit clear-df inside
crypto ipsec df-bit clear-df outside
i also attached an packet trace showing tcp checksum errors while loading the page.
Anybody has an idea?

Julian,
You are contributing to the issue with "sysopt connection tcpmss 1452"
Change it back to the default "1380" or lower - I suggest lower I use "1300"
And the commands
crypto ipsec df-bit clear-df inside
crypto ipsec df-bit clear-df outside
AFAIK they do not apply to the SSL connections

My MBP has started to send out TCP packets larger than the MTU on the NIC - is there any place that this can be overriden?

Got a very weird issue here and wondering if anyone has any other ideas. Basically over the wired NIC only, my Mac has started to send out large HTTP/HTTPS packets from the browser (> 1500 bytes) Captures show packet sizes from 2000 all the way to 4000 sometimes. This happens in Firefox and Chrome so doesn't appear to be application related.
This causes fragmentation issues and traffic drops which basically causes most of my websites and tools to crash and burn (and I get all sorts of SSL errors from applications, etc).
It appears to be limited to just TCP packets as pings with the DF bit set will not send any larger than 1500 bytes.
However if I switch to wireless, everything works fine and captures show the correct maximum packet size of 1500 for all packets leaving my client.
The MTU on the en0 interface is 1500 as per ifconfig and I made sure that it was set to 1500 in Network config panel (because there is an option for jumbo frames there which bumps up the MTU).
A packet capture also shows that during the three way handshake the TCP MSS is successfully sent and negotiated as 1480, but then it appears to ignore that when sending packets later in the TCP stream.
I've rebooted, upgraded to 10.7.4, checked the "sysctl" outputs and matched against a Mac not having the issue.
This is the newest MBP 15 inch model.
Any other ideas on things to check?

Have you used any sort of "tuner" software? You are obviously an advanced user. Sometimes we hack things up and forget about it later. If you are sure you didn't do that, maybe poke around with IPv6 settings. Supposedly people are trying to enable that and it is going to be a disaster.

Right way of configuring higher MTU over a Port Channel

Hi guys,
I have a running critical Port-Channel between two locations.
Here's the config
SW1:
interface Port-channel2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
end
interface GigabitEthernet1/45
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
end
interface GigabitEthernet1/46
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
end
SW2
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode passive
end
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode passive
end
interface Port-channel2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
end
Now I need to increase the MTU from default value to 9198. What the right way to do it and avoid any connectivity loss, PortChannel restart.
Does it matter what switch I start first?
Thanks!
L.E. both SW are WS-C4948

Hi,
Because you are using layer 2 interfaces - there is no fragmentation support at layer 2, and interfaces receiving frames which have an unsupported size will be dropped.
I think the best way for you to proceed is to lab this up; and verify what happens - it may be that you need to make changes on switches at either end of the channel within a very short time frame to prevent too large an outage.
When you are ready to maike your change - think the best way to do this is to use the interface range command, and apply the 'mtu' command to all the interfaces in this range. I don't think it matters which switch you apply this change to first, and I don't believe if you are hinting at the 802.3ad (controlled by system-priority) decision maker, that it makes any difference.
HTH
Mike

Airport card MTU speed needs to be changed

How do I change the MTU speed on my airport card? Internet hangs and runs slow. Rouert is N1 and support says mtu should ne 1400. Cant figure out how to change it.

I had a similar problem; in the end I got tired of working with terminal because the changes are not permanent. I went Googling and found that the OSX utility application 'Cocktail' allows you to customise MTU settings permanently. There are several applications available, but I settled for the one mentioned. Works like a charm for me. Try it and see if it does for you.

How do I reduce the MTU on my Airport Extreme Ethernet connection?

Hi there,
Is it possible to reduce the MTU on the Ethernet connection inside the Airport Extreme Base station. I was having trouble accessing some websites, but was able to fix it on a direct ethernet connection by reducting the MTU setting to below 1500. However, when I connect wirelessly ( I have a DSL modem connected to the WAN port of an Airport Extreme Base station), I still have the same problem, but there seems to be nowhere in the Admin utility where I can reduce the MTU for the connection.
Anyone know a work around for this?
Thanks
Martin
iMac G5 Mac OS X (10.4.3) Airport Extreme

Don't know if this will help, but if you use cocktail there is a place under "Network" where you can change the mtu setting for the machine you are using. I also remember seeing some info on this in the unix support group here in the forums.
PowerMac G4 MDD 2GB Ram, 1Ghz TiBook 1GB Ram Mac OS X (10.3.9)

HP LaserJet 400 MFP M425dn: bug in MTU path discovery, printer reboots via web interface

Firmware Datecode: 20121205
1. We can not access this MFU over VPN link. Otherer devices are accessed successfully.
As far as I understand there is an error in MTU Path Discovery.
tcpdump logs are attached.
Is there a way to change MTU of this device?
2. This MFU a reboots when I open page "Settings" of "Networking" submenu (/hp/device/set_config_networkSettings.html?tab=Networking&menu=NetSettings) if option "System" -> "System Setup" -> "Language" is "Russian". But this looks like a very good feature since I've have not found the way to reboot this printer remotely.
Here I was tring to access web interface over VPN (IPSec), 192.168.4.135 is IP of my comp, 192.168.160.200 - is IP of MFU, 192.168.160.254 is a gateway:
$ tcpdump -n -r printer-1.pcap
reading from file printer-1.pcap, link-type EN10MB (Ethernet)
17:20:29.337867 IP 192.168.4.135.54147 > 192.168.160.200.80: Flags [S], seq 2356029847, win 8192, options [mss 1460,nop,nop,sackOK], length 0
17:20:29.338026 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [S.], seq 614551948, ack 2356029848, win 8760, options [mss 1460,nop,nop,sackOK], length 0
17:20:29.344909 IP 192.168.4.135.54147 > 192.168.160.200.80: Flags [.], ack 1, win 64240, length 0
17:20:29.348488 IP 192.168.4.135.54147 > 192.168.160.200.80: Flags [P.], seq 1:304, ack 1, win 64240, length 303
17:20:29.348564 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [.], ack 304, win 8457, length 0
17:20:29.378872 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [P.], seq 1:513, ack 304, win 8457, length 512
17:20:29.379063 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [.], seq 513:1973, ack 304, win 8457, length 1460
17:20:29.379100 IP 192.168.160.254 > 192.168.160.200: ICMP 192.168.4.135 unreachable - need to frag (mtu 1280), length 48
17:20:29.379103 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [.], seq 1973:3433, ack 304, win 8457, length 1460
17:20:29.379135 IP 192.168.160.254 > 192.168.160.200: ICMP 192.168.4.135 unreachable - need to frag (mtu 1280), length 48
17:20:29.379251 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [.], seq 1:1461, ack 304, win 8457, length 1460
17:20:29.379272 IP 192.168.160.254 > 192.168.160.200: ICMP 192.168.4.135 unreachable - need to frag (mtu 1280), length 48
17:20:29.379274 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [.], seq 1461:2921, ack 304, win 8457, length 1460
17:20:29.379304 IP 192.168.160.254 > 192.168.160.200: ICMP 192.168.4.135 unreachable - need to frag (mtu 1280), length 48
17:20:29.379306 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [.], seq 2921:4381, ack 304, win 8457, length 1460
17:20:29.379335 IP 192.168.160.254 > 192.168.160.200: ICMP 192.168.4.135 unreachable - need to frag (mtu 1280), length 48
17:20:29.379338 IP 192.168.160.200.80 > 192.168.4.135.54147: Flags [.], seq 1:1461, ack 304, win 8457, length 1460
This is more detailed view on some packets.
$ tcpdump -nv -r printer-1.pcap
17:20:29.379063 IP (tos 0x0, ttl 64, id 1, offset 0, flags [DF], proto TCP (6), length 1500)
192.168.160.200.80 > 192.168.4.135.54147: Flags [.], cksum 0x7233 (correct), seq 513:1973, ack 304, win 8457, length 1460
17:20:29.379100 IP (tos 0x0, ttl 64, id 62678, offset 0, flags [DF], proto ICMP (1), length 68)
192.168.160.254 > 192.168.160.200: ICMP 192.168.4.135 unreachable - need to frag (mtu 1280), length 48
IP (tos 0x0, ttl 64, id 1, offset 0, flags [DF], proto TCP (6), length 1500)
192.168.160.200.80 > 192.168.4.135.54147: Flags [.], seq 513:1973, ack 304, win 8457, length 1460
17:20:29.379103 IP (tos 0x0, ttl 64, id 1, offset 0, flags [DF], proto TCP (6), length 1500)
192.168.160.200.80 > 192.168.4.135.54147: Flags [.], cksum 0x5edf (correct), seq 1973:3433, ack 304, win 8457, length 1460
17:20:29.379135 IP (tos 0x0, ttl 64, id 62679, offset 0, flags [DF], proto ICMP (1), length 68)
192.168.160.254 > 192.168.160.200: ICMP 192.168.4.135 unreachable - need to frag (mtu 1280), length 48
IP (tos 0x0, ttl 64, id 1, offset 0, flags [DF], proto TCP (6), length 1500)
192.168.160.200.80 > 192.168.4.135.54147: Flags [.], seq 1973:3433, ack 304, win 8457, length 1460
17:20:29.379251 IP (tos 0x0, ttl 64, id 1, offset 0, flags [DF], proto TCP (6), length 1500)
192.168.160.200.80 > 192.168.4.135.54147: Flags [.], cksum 0x0c1c (correct), seq 1:1461, ack 304, win 8457,
P.S. This thread has been moved from LaserJets to Multifunction and All-in-One - HP Forums Moderator

John Getzke wrote:
Its hard to understand what you are trying to do or ask here. We have some offices connected via IPSEC tunnels. IPSEC interface's MTU is 1280 bytes (not 1500 bytes as Ethernet). All other devices successfully work over this VPN link. HP m2727 works. HP m425dn does not work. As a network administrator I've traced source of problem on all possible points and found that HP m425dn has a bug in the "Path MTU Path discovery" routine. The logs I attached shows that any packet of the TCP stream that the printer (160.200) sends to host (4.135) has "Don't fragment" flag set. According to IP standard the router HAVE TO discard the packet with DF flag set and size bigger then MTU since it can not pass a packet further without fragmentation - IPSEC MTU is 1280 bytes only while HP sends 1500 bytes. The router informs the printer about this problem with ICMP message Type: 3 (Destination unreachable) with Code: 4 (Fragmentation needed) suggesting MTU of next hop: 1280. The router does not communicate with the printer itself, it just informs the printer about network problem. According to IP standard the printer HAVE TO resend this data with the size of packet decreased according to suggested size. This is expected behavior of the Path MTU discovery routine. But the printer sends the packet again with the same size and DF flag set. The router again discards the packet and informs printer... This cycle repeats again and again until connection is closed due to timeout. Therefore "Path MTU discovery" routine is broken at this device. It would not be a serious problem, but the printer resends packets at rate over 28000 pps (about 40 MBytes per seconds) and its CPU is so heavily loaded that it even does not respond to touches on its touchscreen. So an innocent attempt to print document on terminal server located at another office leads to inaccessibility of the printer.
The network dump can be downloaded in PCAP format from here.

Anyconnect fails to connect with a message that it tried to set a specific MTU but it was already enabled with a different MTU - (SOLVED)

Cisco Anyconnect 3.1.05160 fails to setup the VPN tunnel, it prompts with this message:
"The VPN client driver encountered an error. Please restart your computer or device, then try again."
Authentication and everything seems to go through but it won't work.
The computer is a brand new HP with Windows 7. I have treid first with some later 2.x Anyconnect with same result.
The follow entries are printed in the event log:
Level Date and Time Source Event ID Task Category
Error 2014-05-10 16:19:28 acvpnagent 2009 None Termination reason code 13:
Unable to start VA, setup shared queue, or VA gave up on shared queue.
Error 2014-05-10 16:19:28 acvpnagent 2 Engineering Debug Details Function: CVpnMgr::main
File: .\VpnMgr.cpp
Line: 1847
Invoked Function: IHostMgr::enableHostMgr
Return Code: -23592949 (0xFE98000B)
Description: HOSTMGR_ERROR_ALREADY_ENABLED_WITH_DIFFERENT_MTU:An attempt was made to enable the tunnel's network interface with a specific MTU but it was already enabled with a different MTU.

This was caused by the good old HP mess-up-your-computer services.
Disable the service "HP Device Locking / Auditing" and the VPN will be able to connect.

MTU option of IPv6 router advertisement ignored

I recently turned up an IPv6 tunnel from Hurricane Electric (http://tunnelbroker.net/) to my home router, which is a Cisco 1921 ISR. The IPv6 tunnel works great, save for one small problem. That being that the MTU of the tunnel is 1480 and the MTU on my Mac is 1500. If I manually set the MTU on my Mac to 1480, everything works as expected. However, part of IPv6 autoconfig is setting the MTU for situations like this where there is a tunnel or the more common PPPoE, both of which require a lower MTU. The router is configured to set this option, and I can see it via tcpdump and radvdump:
[root@strongbad]# tcpdump -i en0 -n -XX icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:36:09.218626 IP6 fe80::ca9c:1dff:fed6:17a0 > ff02::1: ICMP6, router advertisement, length 64
    0x0000: 3333 0000 0001 c89c 1dd6 17a0 86dd 6e00 33............n.
    0x0010: 0000 0040 3aff fe80 0000 0000 0000 ca9c ...@:...........
    0x0020: 1dff fed6 17a0 ff02 0000 0000 0000 0000 ................
    0x0030: 0000 0000 0001 8600 1266 4000 0708 0000 .........f@.....
    0x0040: 0000 0000 0000 0101 c89c 1dd6 17a0 0501 ................
    0x0050: 0000 0000 05c8 0304 40c0 0027 8d00 0009 ........@..'....
    0x0060: 3a80 0000 0000 2001 0470 e9ba 0001 0000 :........p......
    0x0070: 0000 0000 0000                           ......
[root@strongbad]# radvdump
# radvd configuration generated by radvdump 1.6
# based on Router Advertisement from fe80::ca9c:1dff:fed6:17a0
# received by interface en0
interface en0
    AdvSendAdvert on;
    # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
    AdvManagedFlag off;
    AdvOtherConfigFlag off;
    AdvReachableTime 0;
    AdvRetransTimer 0;
    AdvCurHopLimit 64;
    AdvDefaultLifetime 1800;
    AdvHomeAgentFlag off;
    AdvDefaultPreference medium;
    AdvSourceLLAddress on;
    AdvLinkMTU 1480;
    prefix 2001:470:e9ba:1::/64
        AdvValidLifetime 2592000;
        AdvPreferredLifetime 604800;
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
    }; # End of prefix definition
}; # End of interface definition
You can plainly see the MTU is at 1500, when it should be 1480:
[root@strongbad]# ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:16:cb:ab:af:0d
    inet6 fe80::216:cbff:feab:af0d%en0 prefixlen 64 scopeid 0x4
    inet 192.168.1.44 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 2001:470:e9ba:1:216:cbff:feab:af0d prefixlen 64 autoconf
    media: autoselect (1000baseT <full-duplex>)
    status: active
[root@strongbad]# netstat -in
Name Mtu   Network       Address            Ipkts Ierrs    Opkts Oerrs Coll
lo0   16384 <Link#1>                        800471     0   800471     0     0
lo0   16384 ::1/128     ::1                 800471     -   800471     -     -
lo0   16384 fe80::1%lo0 fe80:1::1           800471     -   800471     -     -
lo0   16384 127           127.0.0.1         800471     -   800471     -     -
gif0* 1280 <Link#2>                             0     0        0     0     0
stf0* 1280 <Link#3>                             0     0        0     0     0
en0   1500 <Link#4>    00:16:cb:ab:af:0d 24352460     0 36285322     0     0
en0   1500 fe80::216:c fe80:4::216:cbff: 24352460     - 36285322     -     -
en0   1500 192.168.1     192.168.1.44    24352460     - 36285322     -     -
en0   1500 2001:470:e9 2001:470:e9ba:1:2 24352460     - 36285322     -     -
fw0   2030 <Link#5>    00:1c:b3:ff:fe:9b:6d:d0        0     0        0     0     0
en1   1500 <Link#6>    00:1c:b3:b0:41:f0        0     0        0     0     0
vmnet 1500 <Link#7>    00:50:56:c0:00:01        0     0        0     0     0
vmnet 1500 172.16.130/24 172.16.130.1           0     -        0     -     -
vmnet 1500 <Link#8>    00:50:56:c0:00:08        0     0        0     0     0
vmnet 1500 172.16.123/24 172.16.123.1           0     -        0     -     -
On my Mac in System Preferences > Network > Ethernet > Advanced > Ethernet the "Configure" value is set to "Automatically". I discovered a manual sysctl setting that looked promising, but had no noticeable effect:
[root@strongbad]# sysctl -w net.inet6.ip6.accept_rtadv=1
net.inet6.ip6.accept_rtadv: 0 -> 1
I'm running the latest version of Snow Leopard (10.6.7) on my Mac, and there doesn't appear to be any updates for it. Just for fun, here's the kernel banner:
[root@strongbad]# uname -a
Darwin strongbad.local 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386
Any ideas on how to get my Mac to honor the MTU in IPv6 router advertisements and set the MTU automatically?
Thanks in advance,
-Lex

I was wrong. The MTU in IPv6 router advertisements is not ignored by my Mac. In fact, it works great. A few things threw me off here:
1. The IPv6 MTU is not relected in ifconfig and netstat output if it's different than IPv4.
2. The MTU size was wrong. The IPv6 MTU also has to account for ADSL PPPoE overhead the same as any other protocol. PPPoE adds 8 bytes overhead per packet. That means with the 6in4 tunneling overhead of 20 bytes, the true MTU for an IPv6 packet over a 6in4 tunnel over PPPoE is 1472.
3. The firewall was correctly configured to pass ICMPv6, so PMTUD was working. However, this created the illusion that some destinations were working and some were not. I wrongly assumed that mucking with the MTU to and from 1480 was making a difference. In reality, it was PMTUD doing its thing, albeit slowly and on a strict destination by destination basis.
In sum, setting the MTU on the router interface closest to my Mac to 1472, made it all work beautifully. I had to wait for a few route advertisements to pass by, but my Mac did end up doing the right thing.
One last thing worth noting. On a Cisco router, setting the "ipv6 mtu" to something non-default will be reflected in the IPv6 route advertisements it sends out.
Hope this helps,
-Lex

MTU Size Problem Loading Certain Webpages

Hello Colleagues,
I'm having a strange problem dealing with MTU sizes and loading certain webpages. I am aware of the default Microsoft MTU of 1500 and also using GRE IPSEC Tunnels recommended at MTU size 1400. I have since manually set some users PC's to MTU of 1400 and most of those users are experiencing no issues. However, there are a few users who still experience website loading issues even though I have manually changed their MTU size to 1400.
These are domain accounts will the same image loads on their machines, so all have the same permissions, rights, firewall settings, etc. They all use the same LAN, switches, and routers.
Here are the router configs, router 1 and router 2
Router 1
Current configuration : 9006 bytes
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname R-US-RS-WVPN1
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin
boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin
boot-end-marker
logging buffered 64000
enable secret 5 *removed*
no aaa new-model
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery interval 303
ip cef
ip domain name corp.com
ip name-server 10.###.8.21
ip name-server 10.###.8.96
ip inspect dns-timeout 90
ip inspect tcp idle-time 60
ip inspect name fw smtp timeout 120
ip inspect name fw ftp timeout 120
ip inspect name fw realaudio
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 30
ip inspect name fw tcp timeout 60
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-316595902
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-316595902
revocation-check none
rsakeypair TP-self-signed-316595902
crypto pki certificate chain TP-self-signed-316595902
certificate self-signed 01
*removed*
        quit
license udi pid CISCO1921/K9 sn FTX153182M8
spanning-tree vlan 229 priority 8192
redundancy
ip ssh version 2
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key *removed* address 70.###.172.142
crypto isakmp key *removed* address 184.###.###.254
crypto isakmp keepalive 35 11
crypto ipsec transform-set FY-WVPN-Tunnel esp-aes esp-md5-hmac
mode tunnel
crypto map vpn 10 ipsec-isakmp
set peer 70.###.172.142
set peer 184.###.###.254
set transform-set FY-WVPN-Tunnel
match address gre-tunnel-list
interface Loopback0
ip address 10.###.0.10 255.255.255.255
interface Tunnel2291
description Primary-TimewarnerTelecom-Ral-FayWVPN1
ip address 10.###.99.26 255.255.255.252
no ip redirects
cdp enable
tunnel source 66.###.161.126
tunnel destination 184.###.###.254
crypto map vpn
interface Tunnel2293
description Primary-TimewarnerTelecom-Ral-FayWVPN2
ip address 10.###.99.154 255.255.255.252
no ip redirects
cdp enable
tunnel source 66.###.161.126
tunnel destination 70.###.172.142
crypto map vpn
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description TW Telecom/DMVPN1
ip address 66.###.161.126 255.255.255.252
ip access-group Block-Internet in
ip access-group Block-Internet out
duplex auto
speed auto
no cdp enable
crypto map vpn
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0/0
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/1
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/2
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/3
description PBX Eth1
switchport access vlan 229
no ip address
interface Vlan1
no ip address
shutdown
interface Vlan229
ip address 10.###.229.253 255.255.255.0
ip helper-address 10.###.231.201
standby 229 ip 10.###.229.254
standby 229 priority 105
standby 229 preempt
router eigrp 100
network 10.0.0.0
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 70.###.172.142 255.255.255.255 66.###.161.125
ip route 184.###.###.254 255.255.255.255 66.###.161.125
ip route 205.###.96.180 255.255.255.252 66.###.161.125
ip access-list extended Block-Internet
permit esp host 66.###.161.126 host 184.###.###.254
permit esp host 184.###.###.254 host 66.###.161.126
permit udp host 66.###.161.126 host 184.###.###.254 eq isakmp
permit udp host 184.###.###.254 host 66.###.161.126 eq isakmp
permit esp host 66.###.161.126 host 70.###.172.142
permit esp host 70.###.172.142 host 66.###.161.126
permit udp host 66.###.161.126 host 70.###.172.142 eq isakmp
permit udp host 70.###.172.142 host 66.###.161.126 eq isakmp
permit icmp host 66.###.161.126 host 184.###.###.254
permit icmp host 184.###.###.254 host 66.###.161.126
permit icmp host 66.###.161.126 host 70.###.172.142
permit icmp host 70.###.172.142 host 66.###.161.126
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny   ip any any
deny   icmp any any
ip access-list extended gre-tunnel-list
permit gre host 66.###.161.126 host 184.###.###.254
permit gre host 66.###.161.126 host 70.###.172.142
logging host 10.100.###.254
logging host 10.100.###.246
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community P_RW RW
snmp-server community P_RO RO
snmp-server enable traps entity-sensor threshold
snmp-server host 10.100.###.246 public
snmp-server host 10.100.###.254 public
access-list 20 permit 10.###.9.3
access-list 20 permit 10.###.8.16
access-list 20 permit 10.100.###.249
access-list 20 permit 10.100.###.254
access-list 20 permit 10.100.###.246
control-plane
banner motd ^CCCCCCC
****************** Warning! Warning! Warning! ********************
This system is restricted to authorized users for business
purposes. Unauthorized access is a violation of the law. This
service may be monitored for administrative and security reasons.
By proceeding, you consent to this monitoring
****************** Warning! Warning! Warning! ********************
^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
line vty 5 15
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
scheduler allocate 20000 1000
ntp server 10.###.8.8 prefer
ntp server 10.###.231.200 prefer
ntp server 10.###.8.69
ntp server 10.###.1.6 prefer
end
Router 2
Current configuration : 9013 bytes
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname R-US-RS-WVPN2
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin
boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin
boot-end-marker
logging buffered 64000
logging console critical
enable secret 5 *removed*
no aaa new-model
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery interval 303
ip cef
ip domain name corp.mann-hummel.com
ip name-server 10.###.8.21
ip name-server 10.###.8.96
ip inspect dns-timeout 90
ip inspect tcp idle-time 60
ip inspect name fw smtp timeout 120
ip inspect name fw ftp timeout 120
ip inspect name fw realaudio
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 30
ip inspect name fw tcp timeout 60
ipv6 multicast rpf use-bgp
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3179596086
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3179596086
revocation-check none
rsakeypair TP-self-signed-3179596086
crypto pki certificate chain TP-self-signed-3179596086
certificate self-signed 01
*removed*
        quit
license udi pid CISCO1921/K9 sn FTX153182M2
spanning-tree vlan 229 priority 1###84
redundancy
ip ssh version 2
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key *removed* address 70.###.172.142
crypto isakmp key *removed* address 184.###.###.254
crypto isakmp keepalive 35 11
crypto ipsec transform-set Fay-Ral-WVPN-Tunnel esp-aes esp-md5-hmac
mode tunnel
crypto map vpn 10 ipsec-isakmp
set peer 184.###.###.254
set peer 70.###.172.142
set transform-set Fay-Ral-WVPN-Tunnel
match address gre-tunnel-list
interface Loopback0
ip address 10.###.0.12 255.255.255.255
interface Tunnel2292
description Failover-TimewarnerCable-Ral-Fay-WVPN2
ip address 10.###.99.30 255.255.255.252
no ip redirects
cdp enable
tunnel source 96.###.25.226
tunnel destination 184.###.###.254
crypto map vpn
interface Tunnel2294
description Failover-TimewarnerCable-Ral-Fay-WVPN2
ip address 10.###.99.158 255.255.255.252
no ip redirects
cdp enable
tunnel source 96.###.25.226
tunnel destination 70.###.172.142
crypto map vpn
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Fay-Ral WVPN
ip address 96.###.25.226 255.255.255.252
ip access-group Block-Internet in
ip access-group Block-Internet out
duplex auto
speed auto
no cdp enable
crypto map vpn
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/0/0
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/1
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/2
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/3
description PBX Eth2
switchport access vlan 229
no ip address
interface Vlan1
no ip address
shutdown
interface Vlan229
ip address 10.###.229.252 255.255.255.0
ip helper-address 10.###.231.201
standby 229 ip 10.###.229.254
standby 229 preempt
router eigrp 100
network 10.0.0.0
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 70.###.172.142 255.255.255.255 96.###.25.225
ip route 184.###.###.254 255.255.255.255 96.###.25.225
ip route 205.###.96.180 255.255.255.252 66.###.161.125
ip access-list extended Block-Internet
permit esp host 96.###.25.226 host 184.###.###.254
permit esp host 184.###.###.254 host 96.###.25.226
permit udp host 96.###.25.226 host 184.###.###.254 eq isakmp
permit udp host 184.###.###.254 host 96.###.25.226 eq isakmp
permit esp host 96.###.25.226 host 70.###.172.142
permit esp host 70.###.172.142 host 96.###.25.226
permit udp host 96.###.25.226 host 70.###.172.142 eq isakmp
permit udp host 70.###.172.142 host 96.###.25.226 eq isakmp
permit icmp host 96.###.25.226 host 184.###.###.254
permit icmp host 184.###.###.254 host 96.###.25.226
permit icmp host 96.###.25.226 host 70.###.172.142
permit icmp host 70.###.172.142 host 96.###.25.226
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny   ip any any
deny   icmp any any
ip access-list extended gre-tunnel-list
permit gre host 96.###.25.226 host 184.###.###.254
permit gre host 96.###.25.226 host 70.###.172.142
logging host 10.100.###.254
logging host 10.100.###.246
snmp-server community P_RW RW
snmp-server community P_RO RO
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server enable traps entity-sensor threshold
snmp-server host 10.100.###.246 public
snmp-server host 10.100.###.254 public
access-list 20 permit 10.###.9.3
access-list 20 permit 10.###.8.16
access-list 20 permit 10.100.###.249
access-list 20 permit 10.100.###.254
access-list 20 permit 10.100.###.246
control-plane
banner motd ^CCCCCC
****************** Warning! Warning! Warning! ********************
This system is restricted to authorized users for business
purposes. Unauthorized access is a violation of the law. This
service may be monitored for administrative and security reasons.
By proceeding, you consent to this monitoring
****************** Warning! Warning! Warning! ********************
^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
line vty 5 15
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
scheduler allocate 20000 1000
ntp server 10.###.8.8 prefer
ntp server 10.###.231.200 prefer
ntp server 10.###.8.69
ntp server 10.###.1.6 prefer
end

UPDATE
I have since applied the following config to the tunnel interfaces:
ip mtu 1400
ip tcp adjust-mss 1400
tunnel path-mtu-discovery
This worked and I was able to reset each users PC to default MTU size of 1500, but only until just now. I got a call from a user who explained that he wasn't able to reach some websites, again.
Sure enough, I've just confirmed that all of the users are unable to access the websites any longer.
This is crazy, does anyone have any ideas?

How do you change the MTU size in a Cisco 871?

This 871 is at a remote site and is an ezvpn IPsec client (network extension mode) back to a 3030 headend.
We're having problems with a PC trying to connect through the IPsec tunnel and we think it may be an MTU size problem.
Int F4 is the outside interface.
We are using a virtual-template associated with the crypto ipsec client ezvpn statement.
When I go into any of the 871 interfaces and type 'mtu 1370' it errors out with 'The F4 (or whatever interface) does not allow manual MTU size configuration.
If I type 'ip mtu 1370' on F4 (or vlan1 or virtual-template 1) this is accepted, but when I do a 'show int f 4', it still shows MTU of 1514 - even after a reload.
What is the correct way to set the MTU size in the 871 router - and is it best set on the F4 interface, the vlan, or the virtual-template interface?

Hi
As per the supporting doc Cisco 871 has one want ethernet interface and 2 switch ports.
I feel you are trying to change the mtu under the switch port which may not be possible.
You can refer the below link for more info..
http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet0900aecd8028a976.html
regds

How do you change the mtu size

i recently bought a WRT54G wireless router and i have my desktop directly hooked up (not wireless) and every time i go to play games or surf the net it has some pretty severe lag spikes. i have done some searching and i see something about changing the MTU to a certain amount but i have no idea what that is or how to change it. so if u have any suggestions for me that would be appreciated

connect a computer to the router's port#1 and access the router using http://192.168.1.1 . the default password is admin
on the ui , under the " basic setup " subtab , you have an option to change the MTU size..by default the MTU is disabled...change it to enable and change the MTU size as required...

Too low IP mtu vs ethernet mtu

Hello,
If the switch gets packet on interface and the packets MTU is bigger, so it will constantly drop the packet ?
now:
If the router gets bigger packet that its IP MTU, the router has an option to fragment the packet?
Do i'am right ?
Thanks!

I have the same problem Im using the Wrt54G linksys wireless-g router, changed the MTU to 1365, and am failing the xbox live mtu test. The router was fine at 1500, when I had my old motorola surfboard modem, I traded in for a newer model the Sb5120. And so far, no xbox. Dont know what else to do. Xbox customer support is a joke. Comcast is a joke. I dont know how to change the MTU setting on the modem, don't think thats the problem anyway its default is 1500.
I have the modem going to the router, the router going to the xbox 360. No xbox live tho. Reset everything multiple times. So now Im asking you guys for your help. Im gonna call comcast tomorrow see what they have to say, even tho the people there are monkeys with typewriters.... I should have never switched modems....

How to decide the size of MTU when writing an interface ?

I have very little knowledge about network interface. But I want to write a network interface. But I am not getting how the MTU for an interface is decided depending upon the network physical capabilities. Like :
localhost has 1500 bytes
But this size is not enough for high-speed networks which exist now a days. I am not getting how this size of MTU is actually affecting the network. And how we can find the optimal MTU for any network.

This depends on what exactly do you mean by 'network interface'? Firmware for an NIC? a device driver for an NIC? Or you you mean an application API? And if so, for UDP or TCP?
If UDP, all you need to know is that the practical limit on a datagram that has to go through routers is 534 bytes.
If TCP, you don't have to worry about MTU in the slightest.

MTU of ME3400

Similar Messages

Maybe you are looking for